Configure LMS to use logged in user credentials

MARK BAKER · ‎06-17-2013

I have just started working with Cisco LMS 4.2 and see that when using netconfig you can either use the DCR device credentials or enter a username and password during the job deployment. Since we have all of our devices using AAA with Cisco ACS and some administrators have a limited command set configured in ACS that they are allowed to use on the devices, we would like to use the LMS logged in credentials when making config changes to be able to enforce the limited command set in ACS as well as logging the real users name.

At first I was trying to find a way to keep the DCR device credentials from being available and force the user to supply the credentials for job deployment, but it didn't appear that I could do this. After some reading of the LMS docs, which are a little hard to decypher, I think I may be able to force the logged in user credentials during job deployment.

From what I read, the Primary credentials are used if they exist in the DCR as the first choice for netconfig job deployment. The logged in user credentials may be used as a second choice (unclear about this). If neither exist, login fails. So, I was thinking that we could configure only the secondary credentials for the device in LMS for discovery and monitoring, and since the primary credentials aren't used, LMS would use the logged in user credentials. Does anyone know if this is the case, or a better way to accomplish my goal?

Thank you,
Mark

MARK BAKER · ‎06-17-2013

I did some testing today and was not pleased with my findings.

1. I added a device with only secondary credentials and SNMP RO & RW community strings. I also had fallback to secondary credentials enabled.

a. I deployed a job and only selected the option to save running-config to startup-config

b. The DCR secondary credentials were used to deploy the config changes

2. I added network device login credentials to my user account and ran the test again.

a. again the secondary device credentials from the DCR was used

b. It looks like if you add network device credentials to your user account, it only prepopulates the deploy credentials. You still have to check the box to use them.

3. I disabled fallback to secondary credentials and ran the test again.

a. The config was deployed, but it appears SNMP was used with the below log message showing the config was uploaded with tftp.

Jun 17 15:25:36.580: %SYS-5-CONFIG_I: Configured from tftp://10.1.1.17/20130617152528266-10.10.10.1.cfg by console

It is hard for me to believe that you cannot force LMS to use the login user credentials when deploying configs to devices. If you have LMS authentication and device authentication both using TACACS, the logins would be the same and you would preserve the security policy with ACS for both CLI and LMS configuration attempts. The way it works now it looks like you can get elevated privilege when using LMS to make config changes. Does anyone else see the issue with this?

This is my second disappointment with LMS. The first being that you can't map roles and groups with TACACS attributes.

Thanks,
Mark

MARK BAKER · ‎12-23-2013

The Cisco forumn isn't what it used to be... You used to be able to find an answer to just about anything on here. Recently your lucky to get a reply.

I'm still struggling with this issue. I am trying to configure a role to match my ACS command set as closely as possible, but instead find issues in various parts of LMS. Many monitor widgets say no data available or no authorized devices to show etc...

If I could get LMS to use the logged in users credentials I could just give the user full access in LMS and let ACS do it's job by only allowing commands from the command set assigned ot the user. I would say I have to duplicate my efforts to for authorition, but I can't even say that since I can't duplicate it with roles closely enough.

Thank you,
Mark